Respond to a privacy breach at your federal institution

For federal institutions subject to the Privacy Act, a privacy breach involves improper or unauthorized collection, use, disclosure, retention or disposal of personal information. A privacy breach may occur within an institution or off-site and may be the result of inadvertent errors or malicious actions by employees, third parties, partners in information-sharing agreements or intruders.

Federal institutions are required to notify the Office of the Privacy Commissioner of Canada (OPC) and the Treasury Board of Canada Secretariat (TBS) of all material privacy breaches and of the mitigation measures being implemented, if the breach involves sensitive personal information and could reasonably be expected to cause serious injury to the individual.

TBS is responsible for preparing policy instruments concerning the operation of the Privacy Act and its regulations. This includes issuing directives and guidelines on privacy breaches related to the Privacy Act.

Guidelines for Privacy Breaches

The Treasury Board of Canada Secretariat’s guidelines on privacy breaches under the Privacy Act.

Report a privacy breach at your federal institution

Forms and information for Government of Canada institutions subject to the Privacy Act wanting to report a breach to the OPC.

Date modified: